A vuln where ultimately untrusted input can make its way into eval() in a perl script via the Controller servlet. Sophos Firewall exposes two dashboards, a user portal and a web admin console. Both of these run a jetty server, which requests are issued to via the Controller servlet. Jetty will take the json param from the HTTP request and create an object to send to the “CSC” server, which will validate it using the CyberAPIArch perl script. The issue is the fact that an attacker can create a json object that contains a _discriminator key, which is a special key that’s used to map field values to object names. When the perl script sees _discriminator, it’ll iterate over the hashmap stored in the value to resolve the object names to Perl objects using eval(). By passing this key, an attacker effectively can pass arbitrary input to eval().

Interestingly, Sophos does have some filtering on the json keys here, but it seems the values aren’t filtered. This vuln was exploited in the wild to target a small number of organizations, and is similar to a previous bug that was abused by an APT in March.